diff --git a/config/jobs/update-secrets/update-secrets.yaml b/config/jobs/update-secrets/update-secrets.yaml
new file mode 100644
index 0000000000..4263147445
--- /dev/null
+++ b/config/jobs/update-secrets/update-secrets.yaml
@@ -0,0 +1,27 @@
+postsubmits:
+  falcosecurity/test-infra:
+    - name: update-secrets-post-submit
+      branches:
+        - ^master$
+      decorate: true
+      max_concurrency: 1
+      run_if_changed: '^config/secrets.yaml$'
+      spec:
+        containers:
+          - image: ghcr.io/falcosecurity/pigeon:v0.3.0
+            command:
+              - pigeon
+            args:
+              - --conf=config/secrets.yaml
+              - --gh-token=/etc/github/oauth
+              - --verbose
+            volumeMounts:
+              - name: github
+                mountPath: /etc/github
+                readOnly: true
+        volumes:
+          - name: github
+            secret:
+              secretName: oauth-token
+        nodeSelector:
+          Archtype: "x86"
diff --git a/config/secrets.yaml b/config/secrets.yaml
new file mode 100644
index 0000000000..bf6bdb984f
--- /dev/null
+++ b/config/secrets.yaml
@@ -0,0 +1,20 @@
+orgs:
+  falcosecurity:
+    actions:
+      secrets:
+        - DOCKERHUB_SECRET
+        - DOCKERHUB_USER
+    repos:
+      falco:
+        actions:
+          secrets:
+            - GPG_KEY
+      libs:
+        actions:
+          secrets:
+            - FEDEDP_GIST_SECRET
+            - PPC64LE_HOST
+            - PPC64LE_KEY
+            - PPC64LE_PORT
+            - PPC64LE_USERNAME
+